Hacking - Security

Post Reply
2bad
New member
Posts: 6
Joined: Mon Mar 22, 2021 10:13
In-game: 2bad

Hacking - Security

by 2bad » Post

Hello,

First of all thank you for the server Capture The Flag, it s great.

My answer is about the security of the server.
I m aware that just the name CTF must attract cheater and hacker from all the mine sphere...

They can kill me hundreds of time in game but this is not a problem for me even if i ll maybe never acceed to the prochest...

The problem is if they can hack the server and access to the players data such as my IP or the hash of my password.
Does it happenened ?
Theres is any topic or page where such problems in minetestCTF are reported ?


2bad / bBAD

2bad
New member
Posts: 6
Joined: Mon Mar 22, 2021 10:13
In-game: 2bad

Re: Hacking - Security

by 2bad » Post

Thank you for your answer.

lupara
New member
Posts: 5
Joined: Fri May 12, 2023 06:09

Re: Hacking - Security

by lupara » Post

considering the situation, that there are quite crazy players, the question is quite important and a detailed answer even more so. so make the effort to find an answer. after all, it is about the security of personal data in the game. no answer equals no protection. but it would be important to be able to protect yourself as much as possible. what are the basics that should be considered?

User avatar
LMD
Member
Posts: 1385
Joined: Sat Apr 08, 2017 08:16
GitHub: appgurueu
IRC: appguru[eu]
In-game: LMD
Location: Germany
Contact:

Re: Hacking - Security

by LMD » Post

You are confusing hacking and cheating here.

"Cheating" is done using a "cheat client" (sometimes misleadingly called a "cracked client" or "hack client"). These clients essentially just break assumptions the server makes. Most strikingly, the server assumes that clients take care of their movement. This makes it trivial to modify clients to allow noclip or fly. Mitigation is unfortunately nontrivial simply because given lag - and numerous glitches - server-side validation is nontrivial; when is a player legitimately flying / jumping / blased / falling / glitching through blocks? Hard to answer accurately, even for the human observer - every now and then there's a false positive where it appears as if someone is hacking but it's just lag in the end.

"Cheating" is not the same as hacking the server. To my knowledge, there haven't been any successfully carried out remote code execution attacks against CTF (or any other Minetest server). It probably is possible given the mess that the C++ code is, but it requires an experienced attacker. There have been a few vulnerabilities in the past, but most of them required your (mod) code to run on the server or were only moderate severity.

That said, it isn't terribly difficult to ask the server for a little more data than it is supposed to give you. This is limited to the data the server sends to players though. As far as I know, the server never sends IP addresses or the password hashes.

TL;DR: Cheaters are not hackers. Don't make vulnerabilities up out of thin air.
My stuff: Projects - Mods - Website

lupara
New member
Posts: 5
Joined: Fri May 12, 2023 06:09

Re: Hacking - Security

by lupara » Post

Thank you for your very important answer!
my sentence was probably very offensive "no answer = no protection".
however, my motivation was already a provocation to force an answer, for that i apologize.
i don't see the confusion of the definitions of hacking and cheating here. that they are 2 essential different pairs of shoes should be clear. ;)
all the best and have fun

User avatar
Hybrid Dog
Member
Posts: 2828
Joined: Thu Nov 01, 2012 12:46
GitHub: HybridDog

Re: Hacking - Security

by Hybrid Dog » Post

The Minetest wiki has documentation about this topic: https://wiki.minetest.net/Setting_up_a_ ... our_server
I would additionally protect the Minetest server with firejail: https://github.com/netblue30/firejail
In Minetest, a man in the middle (Dolev-Yao attacker) can control all players which are currently online: https://github.com/minetest/minetest/issues/10206

‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests